I have a new ADFS implementation running on Server 2019. After setup, I tested authentication for various user accounts using the /adfs/ls/IdpInitiatedSignon.aspx. Most of the account I tested worked fine with no issues. There are a few accounts, however, that exhibit the following behavior:
- Signing in with a wrong username/password results in an error message indicating the username/password is incorrect. This is expected and desirable.
- Signing in with correct username/password results in a page refresh, displaying the sign-in form again. There is no error message. I'll call this the "refresh sign-in".
In the Security event log on the ADFS server, I see the following three events related to the "refresh sign-in":
- Event 4648 - A logon was attempted using explicit credentials.
- Event 4624 - An account was successfully logged on.
- Event 4625 - An account failed to log on (Failure reason: Unknown user name or bad password)
A few pieces of info:
- ADFS is configured to use a group managed service account called FsGmsa. It is a member of the Windows Authorization Access Group.
- "Forms" and "Microsoft Passport Authentication" is enabled as the primary authentication methods. I will eventually add Azure MFA.
- All tests have been ran in the intranet.
- All certificates are valid and haven't expired.
- I get the same results for the same users, regardless of what computer/device used.
- I cannot find any similarities or differences between the accounts that work and the accounts that don't.